What is the future of TPP certificates after Brexit?
EBA - the European Banking Authority announced in July this year that eIDAS certificates of UK Third-Party Providers (TPP) will be revoked by 31 Dec 2020. Therefore, FCA had to intervene to limit the risk of disruption to open banking services after Brexit.
FCA organized a consultation among the industry members before addressing this issue. After careful analysis of the information gathered, the FCA will allow UK-based TPPs to use alternate certificates to eIDAS to access customer account information from account providers, or initiate payments and also allow UK ASPSP to accept legacy OBIE certificates for a 6 months of transition period.
Under the FCA's proposals, UK-based banks will need to make technical changes to their systems to enable TPPs to continue accessing customer account information, by accepting alternate certificates and informing TPPs which certificates they will accept. FCA states that:
Firms must review the changes immediately and implement any necessary changes as soon as possible. Acknowledging the challenges faced by the industry, the FCA will provide a transition period until the end of June 2021 for complying with our rules.
Regulatory Technical Standards - The new UK-RTS Article 34
What is the Effect on UK ASPSPs? - Technical Changes
UK Account providers will need to accept at least one alternate certificate issued by an independent third party. Therefore, ASPSPs are encouraged to inform TPPs as soon as possible which certificate(s) will be accept. FCA stated that new additional certificates must have details of the:
- Name of the TPP
- National Competent Authority
- Firm Reference Number (FRN) of the TPP in FCA Register
Both eIDAS (QWAC/QSealC) and the OBIE OBWAC/OBSealC contain the above fields and meet the regulatory requirements of the updated UK-RTS Article 34.8. This means that UK ASPSPs that have already implemented OBWAC/OBSealC are compliant to the Brexit changes regarding the alternate form of certificates.
What is the Effect on UK TPPs? - Alternate Certificates
The UK’s TPPs’ eIDAS certificates could be revoked by 01 Jan 2021, therefore, they need to have an alternate certificate(s) issued by an independent third party ahead of the implementation period (IP) Completion Day on 31 December 2020. If the UK TPP is currently using OBIE legacy certificates they can continue doing so until the end of the Transition Period on 30 June 2021 and migrate to Article 34.8 compliant certificates at the end of 20 Jun 2021
However, if the TPP is using alternate certificates they should get in touch with the UK ASPSPs to identify which certificate needs to be used. Furthermore, if the UK TPP is aiming to continue accessing EU ASPSPs account information, there is the need to either get licensed in the EU or become an agent of a licensed European TPP.
What is the transition Period in the UK? – ends 30 Jun 2021
Currently, in the UK there are more than 2 million customers using Open Banking features via Fintechs. A large portion of data sharing consent has got old OBIE legacy certificates associated with it. Therefore, moving to a new certification mechanism could probably mean disruption to those customers. Thus, after discussing with all Open Banking participants, FCA has decided to allow a 6 months transition period.
What is the effect on EU ASPSPs and TPPs? – No Changes
From the EU ASPSPs point of view, there will be no changes as they are not required to accept any alternate certificates to eIDAS. If the UK TPP will present an eIDAS certificate after 31 December 2020, the EU ASPSP will be expected to check the revocation status and do not grant access.
From the EU TPPs perspective, there are no changes in regard to the certificates. However, if the EU TPP wants to carry on accessing UK ASPSPs accounts they need to enrol to the Temporary Permission Regime (TPR) and then continue using the eIDAS certificate.
What is the implementation concern of alternate certificates?
The Christmas cut-off and COVID19 business continuity are primary concerns to deliver roll out changes.
The UK ASPSP that need additional form of certificate apart from eIDAS has to come up with delivery plan to roll out the changes. More suitable approach is to support OBWAC/OBSealC. These new OBIE certificates are technically equivalent (conform to ETSI TS 119/495) to eIDAS but not with “qualified” status as OBIE is not a QTSP - Qualified Trust Service Provider.
How can Banfico help? - TPPWise SaaS
Banfico continues to help financial institutions that need technical support to comply with regulations. eIDAS checks are in itself a complex process, hence most ASPSPs have delegated this validation to external providers such as Banfico. As Brexit brings more regulatory changes, not all ASPSP can afford a dedicated team to track and implement the changes in the regulations, as the large banks can. Banfico and similar service providers could help ASPSPs to meet regulatory mandates with the deadline of 31 Dec 2020.
About Banfico Offerings
Banfico helps banks and electronic money institutions to comply with PSD2 and Open Banking regulations. Banfico has implemented PSD2 in leading banks in the UK, Europe, and internationally. Our solutions suite caters to
- Dedicated API interface
- eIDAS and TPP directory service using PRETA
- Contingency mechanisms: Fallback Interface / MCI - Modified Customer Interface.
If you want to learn more about this subject, join our next Webinar. You can register at www.eventbrite.co.uk
- AISP - Account Information Service Provider
- ASPSP - Account Servicing Payment Service Provider
- CBPII - Card Based Payment Instrument Issuer
- eIDAS - Regulation Electronic identification and trust services for electronic
- transactions in the internal market
- EBA - European Banking Authority
- FRN - Firm Reference Number
- IP - Implementation Period
- OBIE - Open Banking Implementation Entity
- OBSeal - Open Banking Certificates for Electronic Seal
- OBWAC - Open Banking Certificates for Website Authentication
- PISP - Payment Initiation Services Provider
- PS - Policy Statement